b"                                                             United States Department of State\n                                                             and the Broadcasting Board of Governors\n\n                                                             Office of Inspector General\n\n\n                                                                      AUG 11 2011\n\n\nMEMORANDUM\n\nTO:            NLMlAQM \xc2\xad Cathy J. Read        f\\   I   ,n\nFROM:         OIG - Harold W. Geisel      /    WJY7\nSUBJECT:      Report on Audit ofDepartment ofState Safeguarding Citizens - Computer Security\n              Systems Program Funded by the American Recovery and Reinvestment Act\n\nThe subject report is attached for your review and action . As the action oflice for the report's one\nrecommendation, please provide your response to the report and information on actions taken or\nplanned for the recommendation within 30 days ofthe date of this memorandum. Actions taken or\nplanned are subject to follow-up and reporting in accordance with the attached compliance response\ninformation.\n\nThe Office of Inspector General (OIG) incorporated your comments as appropriate within the body\nof the report and included them in their entirety as Appendix C.\n\nOIG appreciates the cooperation and assistance provided by your staff during this audit. If you have\nany questions, please contact Evelyn R. Klemstine, Assistant Inspector General for Audits, at (202)\n663 -0372 or Richard Astor, Division Director, at (703) 284-2601 or by email at astorr@state.gov.\n\nAttachment: As stated.\n\ncc: \t INRJEXlB&F\xc2\xad (b) (6)\n      MlPRI \xc2\xad (b) (6)\n                            ill\xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2\n      IRM/BMP/SPO/SPD - (b) (6)\n\x0c                                            UNCLASSIFIED\n\n\n\n\n\n                        United States Department of State \n\n                     and the Broadcasting Board of Governors\n\n\n                                 Office of Inspector General\n\n\n                                          Office of Audits \n\n\n\n\n\n                        Audit of the Department of State \n\n                             Safeguarding Citizens \xe2\x80\x93 \n\n                      Computer Security Systems Program \n\n                                 Funded by the \n\n                     American Recovery and Reinvestment Act \n\n\n\n                                            AUD/CG-11-36 \n\n                                             August 2011 \n\n\n\n\n                                             Important Notice\n\n    This report is intended solely for the official use of the Department of State or the Broadcasting\n    Board of Governors, or any agency or organization receiving a copy directly from the Office of\n    Inspector General. No secondary distribution may be made, in whole or in part, outside the\n    Department of State or the Broadcasting Board of Governors, by them or by other agencies or\n    organizations, without prior authorization by the Inspector General. Public availability of the\n    document will be determined by the Inspector General under the U.S. Code, 5 U.S.C. \xc2\xa7 552.\n    Improper disclosure of this report may result in criminal, civil, or administrative penalties.\n\xc2\xa0                                 \xc2\xa0\n\n\n\n\n                                            UNCLASSIFIED\n\n\x0c                                                               United States Department of State\n                                                               and the Broadcasting Board of Governors\n\n                                                               Office of Inspector General\n\n                                             PREFACE\n\n        This report is being transmitted pursuant to the Inspector General Act of 1978, as\namended, and Section 209 of the Foreign Service Act of 1980, as amended. It is one of a series\nof audit, inspection, investigative, and special reports prepared as part of the Office of Inspector\nGeneral's (OIG) responsibility to promote effective management, accountability, and positive\nchange in the Department of State and the Broadcasting Board of Governors.\n\n        This report addresses the Department of State's (Department) compliance with Federal,\nDepartment, and American Recovery and Reinvestment Act (Recovery Act) acquisition\nmanagement practices as related to the Department's Safeguarding Citizens - Computer Security\nSystems program. The report is based on interviews with Department employees and officials,\ndirect observation, and a review of applicable documents.\n\n        OIG contracted with the independent public accountant Clarke Leiper, PLLC, to perform\nthis audit. The contract required that Clarke Leiper perform its audit in accordance with\nguidance contained in the Government Auditing Standards, issued by the Comptroller General of\nthe United States. Clarke Leiper's report is included.\n\n        Clarke Leiper identified three areas in which improvements could be made: transparency\nof award notifications posted on the Web site FedBizOpps, compliance with certain requirements\nestablished by the Office of Management and Budget, and accuracy of reporting by award\nrecipients.\n\n        OIG evaluated the nature, extent, and timing of Clarke Leiper's work; monitored progress\nthroughout the audit; reviewed Clarke Leiper's supporting documentation; evaluated key\njudgments; and performed other procedures as appropriate. OIG concurs with Clarke Leiper's\nfindings, and the recommendations contained in the report were developed on the basis of the\nbest knowledge available and were discussed in draft form with those individuals responsible for\nimplementation. ~IG's analysis of management's response to the recommendations has been\nincorporated into the report. OIG trusts that this report will result in more effective, efficient,\nandlor economical operations.\n\n        I express my appreciation to all of the individuals who contributed to the preparation of\nthis report.\n\n\n\n                                       Harold W. Geisel\n                                       Deputy Inspector General\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\n                                            CLARKE LEIPER PLLC\n                                         CERTIFIED PUBLIC ACCOUNTANTS\n                                               6265 FRANCONIA ROAD\n                                             ALEXANDRIA, VA 22310-2510\n                                                    703-922-7622\n                                                 FAX: 703-922-8256\nDORA M. CLARKE\nLESLIE A. LEIPER\n\n\n       Audit of the Department of State Safeguarding Citizens \xe2\x80\x93 Computer Security Systems Program\n       Funded by the American Recovery and Reinvestment Act\n\n\n\n       Office of Inspector General\n       U.S. Department of State \n\n       Washington, D.C. \n\n\n       Clarke Leiper, PLLC (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this letter), has performed an audit of the\n       Department of State (Department) Safeguarding Citizens \xe2\x80\x93 Computer Security Systems program\n       funded by the American Recovery and Reinvestment Act (Recovery Act). We evaluated the\n       program\xe2\x80\x99s planned activities, contracts awarded with Recovery Act funds, and compliance with\n       reporting requirements established by the Recovery Act. This performance audit, performed\n       under Contract No. SAQMPD04D0033, was designed to meet the objective identified in the\n       report section titled \xe2\x80\x9cObjective\xe2\x80\x9d and further defined in Appendix A, \xe2\x80\x9cScope and Methodology,\xe2\x80\x9d\n       of this report.\n\n       We conducted this performance audit from April through October 2010 in accordance with\n       Government Auditing Standards, issued by the Comptroller General of the United States. We\n       communicated the results of our performance audit and the related findings and\n       recommendations to the U.S. Department of State Office of Inspector General.\n\n       We appreciate the cooperation provided by personnel in Department offices during the audit.\n\n\n\n\n       Clarke Leiper, PLLC\n       July 2011\n\n\n\n\n                                             UNCLASSIFIED\n\n\x0c                               UNCLASSIFIED\n\n\n\n\n\nACRONYMS\n\nA/LM/AQM       Bureau of Administration, Office of Logistics Management,\n                      Office of Acquisitions Management\nDepartment     Department of State\nDS             Bureau of Diplomatic Security\nFAR            Federal Acquisition Regulation\nFBO            Federal Business Opportunities (FedBizOpps)\nFPDS           Federal Procurement Data System\nGFMS           Global Financial Management System\nIRM            Bureau of Information Resource Management\nIT             information technology\nOIG            Office of Inspector General\nOMB            Office of Management and Budget\nRecovery Act   American Recovery and Reinvestment Act of 2009\nTAS            Treasury Account Symbol\n\n\n\n\n                               UNCLASSIFIED\n\n\x0c                                                            UNCLASSIFIED\n\n\n\n                                                     TABLE OF CONTENTS\n\n\xc2\xa0\n\nExecutive Summary .............................................................................................................1 \n\n\nBackground ..........................................................................................................................2 \n\n\nObjective ..............................................................................................................................3 \n\n\nResults of Audit ...................................................................................................................3 \n\n   A. Program Objectives Are Being Accomplished ........................................................4 \n\n   B. Program Is Generally in Compliance With Recovery Act Requirements ...............5 \n\n\nAppendices\n   A. Scope and Methodology ..........................................................................................7 \n\n   B. Capital Investment Fund ........................................................................................10 \n\n   C. Bureau of Administration Response ......................................................................11 \n\n\n\n\n\n                                                            UNCLASSIFIED\n\n\x0c                                           UNCLASSIFIED\n\n\n\n                                       Executive Summary\n\n       The American Recovery and Reinvestment Act of 2009 (Recovery Act)1 provided\napproximately $25.4 million to fund the Safeguarding Citizens \xe2\x80\x93 Computer Security Systems\n(Safeguarding Citizens) program to deploy state-of-the-art computer security systems to the\nDepartment of State (Department) headquarters building and embassies worldwide.\n\n       The objective of our audit was to determine whether the Department adequately\nimplemented Safeguarding Citizens program plans, achieved stated program outcomes, and\ncomplied with the reporting requirements of the Recovery Act.\n\n        We found that program managers in the Bureau of Information Resource Management\n(IRM) have planned for and integrated the Safeguarding Citizens program into the Department\xe2\x80\x99s\nexisting information technology (IT) initiatives. Because the objectives of the Safeguarding\nCitizens program are part of an already-existing IT Strategic Plan, much of the initial planning\nhas already been approved. The plan includes appropriate focus on accountability and other\nrequirements of Recovery Act funds. In addition, we determined that the Department\xe2\x80\x99s plans\nwere thorough and well thought out. Delays in scheduled progress have been justified and were\nconsidered to be reasonable.\n\n        The Department has taken appropriate actions in establishing guidelines intended to\nensure compliance with Office of Management and Budget (OMB) requirements for the\nRecovery Act. Contracts were awarded in accordance with the Federal Acquisition Regulation\n(FAR) and OMB memoranda.2 Procedures related to data transparency and reporting\nrequirements were established and implemented. While procedures related to data transparency\nand reporting requirements were established and implemented, a few minor instances of\nnoncompliance were identified for the program. Recovery Act transparency requirements\nidentifying the purpose, nature, and corresponding program for contract awards were not met\nprior to the awards being posted or publicized. Also, some Recovery Act award information was\nnot reported accurately.\n\n       We recommended that the Bureau of Administration, Office of Logistics Management,\nOffice of Acquisitions Management (A/LM/AQM), enhance its contract oversight efforts to\nensure more complete and accurate reporting of award information.\n\n        In its response to the draft report (see Appendix C), AQM concurred with the\nrecommendation. Based on the response, OIG considers the recommendation resolved, and it\nwill be closed pending review and acceptance of documentation for the actions OIG specified.\nThe response and OIG\xe2\x80\x99s analysis are presented after the recommendation.\n\n\n\n\n1\n Pub. L. No. 111-5, 123 stat. 115 (2009). \n\n2\n Memorandums M-09-10, Initial Implementing Guidance for the American Recovery and Reinvestment Act of 2009,\n\nand M-09-15, Updated Implementing Guidance for the American Recovery and Reinvestment Act of 2009.\n\n\n                                                     1\n\n                                           UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n                                          Background\n        The Recovery Act was signed into law as a direct response to the recent economic crisis\nin an effort to jumpstart the economy and invest in long-term growth by creating or saving jobs\nand putting a downpayment on addressing long-neglected challenges. The Department was\nprovided $602 million in Recovery Act funds to create and save jobs, repair and modernize\ndomestic infrastructure crucial to the safety of American citizens, enhance energy independence,\nand expand consular services offered to American taxpayers. The Recovery Act also established\nan unprecedented level of accountability and transparency in Government spending. Agencies\nand contractors were subject to new reporting requirements set forth by OMB that allow the\ngeneral public to view Recovery Act spending in a direct and timely manner. The Department\xe2\x80\x99s\nprojects and a breakdown of proposed spending of Recovery Act funds are summarized in\nTable 1.\n\nTable 1. Department of State Projects and Proposed Spending of Recovery Act Funds\nDepartment of State \xe2\x80\x93 Account / Project                                          Funds (in 000s)\nDiplomatic & Consular Programs                                                              $90,000\n    - Hard Skills Training Center                                                            70,000\n    - Consular Affairs Passport Facilities                                                   15,000\n    - National Foreign Affairs Training Center                                                5,000\nCapital Investment Fund                                                                   $290,000\n    - Data Center                                                                           120,000\n    - IT Platform                                                                            33,500\n         Diplomatic Facility Telephone System Replacement                                    10,000\n         Replacement of Aging Desktop Computers (GITM)                                       13,000\n         Mobile Computing                                                                    10,500\n    - Cyber Security                                                                         98,500\n         Tools to Guard Against & Track Cyber Attacks                                        64,205\n         Strengthen Computer H/W Security Testing & Forensic Investigations                   4,000\n         Safeguarding Citizens \xe2\x80\x93 Computer Security Systems                                  $25,366\n         Expanded Cyber Education                                                             4,929\n    Transfer to U.S. Agency for International Development (USAID)                            38,000\nOffice of Inspector General                                                                  $2,000\nInternational Boundary and Water Commission Construction                                  $ 220,000\n                                                                    TOTAL                  $ 602,000\nSource: Department of State.\n\n\n     Of the total $602 million the Department received in Recovery Act funds, $25,366,000 was\ndesignated for the Safeguarding Citizens program. This program involves deploying state-of-\nthe-art computer security systems to the Department headquarters building and at U.S.\nEmbassies worldwide.\n\n        The Department of State\xe2\x80\x99s unique relationships with the Departments of Homeland\nSecurity, Justice, and Defense and with private-sector partners make the Department of State\xe2\x80\x99s\ninformation a major target of hostile intelligence services and terrorist organizations. This threat\nto the Department\xe2\x80\x99s information systems must be addressed to protect American interests and\n\n                                                 2\n\n                                        UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\ncitizens both domestic and overseas. The critical systems that process passports and visas,\nsupport foreign policy negotiations, and synchronize U.S. evacuations are under constant attack.\nThe Department requires cutting-edge security solutions that incorporate comprehensive and\nmodern protections to enhance National security and address the challenges of constantly\nchanging cyber threats. To address these issues, the Safeguarding Citizens program has three\nmain projects:\n\n   1.\t Public Key Infrastructure (PKI \xe2\x80\x93 Smart ID badges) \xe2\x80\x93 This program allows all domestic\n       Department employees and contractors to gain physical access to Department facilities\n       and logical access to information systems through the issuance of a single Smart\n       identification (ID) badge, which is in contrast to the current \xe2\x80\x9ctwo-card\xe2\x80\x9d system.\n       Recovery Act funds will be used to assist current Department efforts in procuring and\n       implementing these Smart cards and card readers.\n   2.\t Secure Voice Phones (SV) \xe2\x80\x93The Department\xe2\x80\x99s current secure telephones use technologies\n       that were developed in the late 1980s and 1990s. The end of life of this Government-\n       developed system and the change of the global telephone infrastructure to Voice over\n       Internet Protocol (VoIP) are making the current telephones unreliable and encouraging\n       the Department to accelerate its migration to the next generation telephone, which uses\n       VoIP technologies. Recovery Act funds will be used to supplement current Department\n       efforts by funding the procurement of secure telephones.\n   3.\t Anti-Virus (AV) \xe2\x80\x93 The AV Program implements and manages Department-wide\n       countermeasures to stop malicious code, such as computer viruses, SPAM, adware,\n       phishing, spyware, and other cyber threats. Recovery Act funds will be used to extend\n       current anti-virus capabilities to allow for the following centrally managed and\n       configured processes:\n           a.\t Prevent the use of any unauthorized devices (for example, USB thumb drives) on\n               any system within the Department while allowing authorized devices to be used at\n               any location enterprise-wide.\n           b.\t Prevent unauthorized software from running or log, based on security\n               requirements of the system, attempts to run unauthorized software.\n           c.\t Prevent any system not meeting current security profiles (such as patch status)\n               from connecting to the network and offer remedial action options for network\n               control centers.\n\n                                          Objective\n       The objective of our audit was to determine whether the Department adequately\nimplemented Safeguarding Citizens program plans, achieved stated program outcomes, and\ncomplied with the reporting requirements of the Recovery Act.\n\n                                      Results of Audit\n        The Department has made progress in accomplishing its Safeguarding Citizens program\nobjectives and milestones. The success of the program was the result of collaboration between\nseveral Department bureaus and other Department personnel and contractor staff.\n\n\n                                               3\n\n                                       UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n       As of September 30, 2010, almost 100 percent of the $25,366,000 in program funds had\nbeen obligated for contracts to support three major subprojects: Public Key Infrastructure (PKI \xe2\x80\x93\nSmart ID badges), Secure Voice Phones, and Anti-Virus Countermeasures.\n\n        Overall, program managers in IRM have complied with OMB management and financial\noversight requirements. Also, funds were awarded and distributed in a prompt, fair, and\nreasonable manner. However, we noted several areas in which Recovery Act procedures were\nnot followed and contract data was not reported accurately.\n\nFinding A. Program Objectives Are Being Accomplished\n\n        Based on our inquiries of project management, review of supporting documentation, and\ntests for propriety of contract obligation and expenditure transactions, we determined that\nsatisfactory progress is being made on meeting program objectives. Recovery Act funds are\nappropriately accounted for and being used in accordance with approved program plans. The\nobjectives of the Safeguarding Citizens program do not encompass complete and discrete plans\nfor the Department\xe2\x80\x99s existing Safeguarding Citizens and Information Technology (IT) Strategic\nPlan. These Recovery Act-funded activities are only partial components of broader Department\nplans. Therefore, the Safeguarding Citizens program is intended primarily to supplement the\nDepartment\xe2\x80\x99s current efforts by funding certain activities within those plans. We found that the\nSafeguarding Citizens program did not experience any significant delays or funding issues with\nregard to those activities funded by the Recovery Act.\n\n       As of September 30, 2010, almost 100 percent of the $25,366,000 in program funds had\nbeen obligated for contracts to support three major subprojects: Public Key Infrastructure (PKI \xe2\x80\x93\nSmart ID badges), Secure Voice Phones, and Anti-Virus Countermeasures.\n\n      Major contracts awarded using Recovery Act funds under the Safeguarding Citizens \n\nprogram are shown in Table 2. \n\n\nTable 2. Safeguarding Citizens Program Major Contracts Awarded\n                                                  (As of September 30, 2010)\n         VENDOR           AWARD NUMBER         OBLIGATIONS EXPENDITURES                  GOODS / SERVICES\nPKI   Precise            SAQMMA09C0175             $5,875,000           $5,875,000   Biometric readers and\n      Biometrics                                                                     equipment\nPKI   Siemens Govt       SAQMPD05D1115                 $5,273,774       $2,094,002   Installation of card readers for\n      Services                                                                       building access\nPKI   Agtech, LLC        SAQMMA07F1066                 $3,967,527       $1,474,551   Third-party independent\n                                                                                     support to conduct Federal PKI\n                                                                                     cross-certification audits\nSV    National           (Federal Vendor)              $4,999,400       $4,999,400   Procurement of 1,720 vIPer\n      Security Agency    Not an award                                                secure telephones\nAV    Carahsoft          SAQMMA10F2459                 $3,049,803       $2,604,200   Anti-virus software and\n      Technology                                                                     support\n      Group\n                                    TOTAL          $23,165,504         $17,047,153\nSource: Department of State.\n\n\n\n                                                   4\n\n                                            UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\nFinding B. Program Is Generally in Compliance With Recovery Act\nRequirements\n         IRM program managers adequately planned for and managed funds provided for the\nSafeguarding Citizens program. Recovery Act funds were used for their intended purposes, and\noverall, the Department complied with OMB requirements. Funds were awarded and distributed\nin a prompt, fair, and reasonable manner. Also, contractors and other fund recipients met\neligibility requirements and complied with award requirements. For example, fixed-price\ncontracts were made to American companies for hardware, software, and circuits in support of\nAmerican high-technology companies. As required by the Recovery Act, separate Treasury\nAccount Symbols (TAS) were established for the Safeguarding Citizens program. As reported\nthrough the Department\xe2\x80\x99s Capital Investment Fund, we verified that program funds had proper\napprovals and that the monitoring of subprojects and contracts was adequate, as detailed in\nAppendix B, \xe2\x80\x9cCapital Investment Fund.\xe2\x80\x9d We did note, however, some minor instances in which\nRecovery Act procedures were not followed and contract data was not reported accurately.\n\nNotifications on the Federal Business Opportunities Web Site\n\n        For the 15 contracts reviewed, we found that the majority of the FedBizOpps.gov\nnotifications did not provide adequate transparency or a clear understanding to the general public\nof the purpose, nature, and corresponding program of the procurements. The Department has\npublicized both its program plans and its contracts awarded with Recovery Act funds. However,\n12 award notifications did not reference specific program plans or objectives, which made it\ndifficult to determine which awards were made with respect to the Department\xe2\x80\x99s Recovery Act\nprograms. In addition, 17 award notifications did not include descriptions of the products or\nservices that could be readily understood by the general public.\n\n          In that regard, OMB Memorandum M-09-153 states:\n\n          Agencies should ensure that their descriptions of procurements use language\n          appropriate for a more general audience, avoiding industry-specific terms and\n          acronyms without plain language explanations. Taxpayers, media, and others are\n          using our business systems to gain insight on how Recovery Act funds are being\n          spent.\n\n        Transparency and accountability of Recovery Act funds are major requirements of the\nact. Since almost all program funds have been obligated, however, we are not making any\nrecommendations for IRM to take actions to improve transparency for future procurement\nnotifications reported through FebBusOpps.gov. Nevertheless, this deficiency prevented the\ngeneral public from having the ability to identify procurements made pursuant to the\nSafeguarding Citizens program, since descriptions within award notifications did not contain\nreferences or mention corresponding programs.\n\n\n\n3\n    OMB Memorandum M-09-15, pt. 6.2, p. 57 (April 3, 2009).\n\n                                                       5\n\n                                             UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n        Recommendation 1. We recommend that the Bureau of Administration, Office of\n        Logistics Management, Office of Acquisitions Management, ensure, through more\n        effective oversight of the quarterly review of recipient-reported data, that contractors that\n        receive awards from the American Recovery and Reinvestment Act for the Safeguarding\n        Citizens \xe2\x80\x93 Computer Security Systems program provide accurate award information and\n        that the inaccurate award information identified in this report is corrected.\n\n        Management Response: AQM concurred with the recommendation, stating that the\n        bureau will research reported inaccuracies and provide OIG with an action plan to resolve\n        any discrepancies.\n\n        OIG Analysis: On the basis of the response, OIG considers the recommendation\n        resolved. OIG will consider the recommendation closed pending review and acceptance\n        of AQM\xe2\x80\x99s action plan.\n\nInstances of Noncompliance With Certain Office of Management and Budget\nRequirements\n\n       IRM generally followed OMB requirements for contracts supporting the Safeguarding\nCitizens program. However, we identified minor instances of agency noncompliance with OMB\nMemorandum M-09-154 concerning performance requirements in awarding contracts.\nSpecifically, for the 15 contracts reviewed, we noted the following instances of noncompliance:\n\n        \xef\x82\xb7\t The clause in the FAR (part 52.204-11)5 that specifies recipient reporting\n           requirements was not included in the award documents for one award.\n\n        \xef\x82\xb7\t Pre-solicitation and award notifications were not published on FedBizOpps.gov for\n           two awards. According to the FAR,6 agencies should publish both presolicitation and\n           award notifications on FedBizOpps for the procurement of all goods and services\n           using Recovery Act funds.\n\n        \xef\x82\xb7\t On the Federal Procurement Data System Web site (FPDS.gov), one award was not\n           identified as a Recovery Act initiative. According to the FAR,7 in addition to\n           publicizing contract and award actions on FPDS.gov, agencies should label all awards\n           that are Recovery Act related.\n\n        Since almost all program funds have been obligated and the noncompliance instances\ncited are primarily isolated, we are not making any recommendations in this area.\n\n\n\n\n4\n  Ibid. \n\n5\n  FAR 52.204-11, \xe2\x80\x9cAmerican Recovery and Reinvestment Act \xe2\x80\x93 Reporting Requirements.\xe2\x80\x9d (March 2009) \n\n6\n  FAR 5.704, \xe2\x80\x9cPublicizing Pre-award,\xe2\x80\x9d and FAR 5.705, \xe2\x80\x9cPublicizing Post-award.\xe2\x80\x9d \n\n7\n  FAR 4.605, \xe2\x80\x9cContract Reporting - Procedures.\xe2\x80\x9d\n\n\n                                                    6\n\n                                           UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n                                                                                     Appendix A\n\n                                  Scope and Methodology\n       The Department of State (Department), Office of Inspector General (OIG), contracted\nwith Clarke Leiper, PLLC, independent public accountant, to audit the Department\xe2\x80\x99s\nSafeguarding Citizens \xe2\x80\x93 Computer Security Systems (Safeguarding Citizens) program.\n\n        The purposes of this audit were to evaluate the Safeguarding Citizens program and assess\nthe Department\xe2\x80\x99s planning and use of Recovery and Reinvestment Act (Recovery Act) funds in\norder to meet program objectives, to ensure that Recovery Act funds were used for their intended\npurposes, and to determine whether the Department complied with Office of Management and\nBudget (OMB) requirements. To ensure the adequacy of program plans and to ensure that the\nDepartment used Recovery Act funds appropriately, we performed audit procedures to determine\nwhether\n\n   \xef\x82\xb7   Funds were awarded and distributed in a prompt, fair, and reasonable manner.\n   \xef\x82\xb7   Recipients and uses of all funds were transparent to the public and the public benefits of\n       the funds were reported clearly and accurately and in a timely manner.\n   \xef\x82\xb7   Risks associated with the project receiving Recovery Act funding have been identified\n       and communicated to the Department.\n   \xef\x82\xb7   Funds were used for authorized purposes.\n   \xef\x82\xb7   The program has taken action to identify and mitigate instances of fraud, waste, error,\n       and abuse.\n   \xef\x82\xb7   Established schedules were monitored and delays were properly justified.\n   \xef\x82\xb7   Cost overruns and unnecessary delays were avoided and lessons learned were identified\n       to prevent recurrences.\n   \xef\x82\xb7   Program goals were achieved and specific program outcomes were realized.\n   \xef\x82\xb7   Contractors and other fund recipients met eligibility requirements and complied with\n       award requirements.\n   \xef\x82\xb7   Adequate planning was conducted for potential future project phases.\n\n        We conducted the audit work from April through October 2010. This work was\nconducted in accordance with generally accepted government auditing standards. Those\nstandards require that the auditors plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for their findings and conclusions based on audit\nobjectives. We and OIG believe that the evidence obtained provides a reasonable basis for the\nfindings and conclusions based on the audit objective.\n\n       In our audit of the Department\xe2\x80\x99s Safeguarding Citizens program, we interviewed project\nmanagers and officials at the Bureaus of Information Resource Management (IRM) and\nDiplomatic Security (DS). We also evaluated documentation that supported planned activities\nand milestones, risk assessments, and other relevant documents in support of major\naccomplishments or decisions. For compliance with Recovery Act requirements, we reviewed\ncontract files, award documentation, and information published on the Web sites Recovery.gov,\n\n                                                7\n\n                                        UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\nFPDS.gov, and FedBizOpps.gov. In determining the proper use of Recovery Act funds, we\ntested sample transactions and reviewed related source documents, including purchase orders,\ncontracts, vendor invoices, and payment and approval vouchers.\n\n        In the draft report, we addressed the report\xe2\x80\x99s one recommendation to IRM. However,\nIRM officials suggested that the Bureau of Administration, Office of Logistics Management,\nOffice of Acquisitions Management (A/LM/AQM), would be the more appropriate office to take\naction on this recommendation. Therefore, we redirected the recommendation in this final\nreport to AQM, whose response is presented in Appendix C.\n\nWork Related to Internal Controls\n\n    To assess the adequacy of internal controls related to the weekly activity reports, the\naccountability of Recovery Act funds, and the monitoring of projects to avoid cost overruns and\ndelays, we performed the following actions:\n\n    \xef\x82\xb7   Obtained an understanding of the processes and procedures.\n    \xef\x82\xb7   Reviewed source documentation and other types of evidence in order to confirm the\n        adequacy of stated controls.\n    \xef\x82\xb7   Compared weekly report balances with details and reconciled differences in the Global\n        Financial Management System (GFMS).\n    \xef\x82\xb7   Reviewed internal reports related to the compilation of balances and amounts for\n        reporting to the public.\n    \xef\x82\xb7   Compared reported progress with information in the planning documents and progress\n        schedules.\n    \xef\x82\xb7   Determined that separate Treasury Account Symbols were established for Recovery Act\n        programs.\n    \xef\x82\xb7   Verified proper approval over transactions involving Recovery Act funds.\n    \xef\x82\xb7   Discussed with program managers issues regarding cost overruns and delays and\n        subsequently compared responses with expenditure details and program schedules to\n        assess the reasonableness of responses.\n\nData Reliability\n\n         We selected a sample and performed the following procedures in assessing data\nreliability and quality:\n\n   \xef\x82\xb7\t Reviewed contract files to determine whether contracts were competitively awarded and\n      at fixed cost.\n   \xef\x82\xb7\t Tested, if a contract was determined to have been awarded noncompetitively or at a non-\n      fixed cost, whether the contract was disclosed and listed in a separate section on\n      Recovery.gov.\n   \xef\x82\xb7\t Reviewed, for each contract, corresponding notifications and award information\n      published on FedBizOpps.gov and FPDS.gov to determine whether all required Recovery\n      Act disclosures and identifying information were reported.\n\n\n                                               8\n\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n   \xef\x82\xb7\t Reviewed, for each contract, the vendors\xe2\x80\x99 reported data from Recovery.gov to ensure that\n      all required information was included. We also compared vendor-reported amounts with\n      those within GFMS.\n   \xef\x82\xb7\t Compared weekly financial report balances with underlying schedules and GFMS details.\n\nUse of Computer-Processed Data\n\n        We used computer-processed data from GFMS to select sample items for testing\ncontracts and obligation and/or expenditure transactions. We also compared GFMS details and\nreconciling schedules with information reported within the Recovery Act weekly financial\nreports posted by the Department. We determined that the GFMS data and schedules were\nreliable based on our selected sample and our testing of internal controls involving the weekly\nreporting process.\n\n\n\n\n                                               9\n\n                                       UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n\n\n                                                                                    Appendix B\n\n                                  Capital Investment Fund\n        Funding for the Department of State (Department) Recovery and Reinvestment Act\n(Recovery Act) is allocated between four separate Treasury Account Symbols (TAS), or funds.\nThese funds were created to comply with the Recovery Act requirement of tracking and\naccounting for Recovery Act funds separately from other agency funds. Each TAS and related\nactivities are included within the Department\xe2\x80\x99s weekly financial reports.\n\n      As shown in Table 1, the Department\xe2\x80\x99s Capital Investment Fund (TAS 1119) is broken\ndown into three sections: Data Center, Cyber Security, and IT Platform initiatives.\nSafeguarding Citizens is tracked and recorded under the Cyber Security portion of the fund (TAS\n1119.0002).\n\nTable 1. Department of State Capital Investment Fund\nDepartment of State \xe2\x80\x93 Capital Investment Fund             Fund       Planned          Actual\n(TAS 1119)                                                Code       Budgeted       Obligations\n    - Data Center                                       1119.0001    120,000,000     119,972,941\n    - Cyber Security                                    1119.0002     98,500,000      98,502,834\n    - IT Platform                                       1119.0003     33,500,000      33,499,148\nTransfer to U.S. Agency for International Development       -         38,000,000      38,000,000\n                                              TOTAL                 $ 290,000,000   $ 289,974,923\nSource: Department of State.\n\n\n\n\n                                                 10\n\n                                         UNCLASSIFIED\n\x0c                                UNCLASSIFIED\n\n\n\n                                                                                    Appendix C\n\n\n\n\n                                                United States Department of State\n                                                Washington , D.C 20520\n\n                                                July 19,2011\n\nUNCLASSIFIED\nMEMORANDUM\n\nTO:         OIG/AUD -    ~ark   Taylor\n\nFROM:       Cathy Rea~MlAQM\n\nSUBJECT: Draft Reports ~~ Audit of the Department of State Safeguarding\n         Citizens - Computer Security Systems Program Funded by the\n         American Recovery and Reinvestment Act\n\nRecommendation 1: We recommend that the Bureau ofInfonnation Resource\nManagement, Office of Enterprise Network Management, ensure, through more\neffective oversight ofthe quarterly review of recipient-reported data, that\ncontractors that receive awards from the American Recovery and Reinvestment\nAct for the Safeguarding Citizens - Computer Security Systems program\nprovide accurate award infonnation and that the inaccurate award infonnation\nidentified in this report is corrected.\n\nAlLMlAQM response :\n\nAlLMiAQM will work with the OIG regarding the identified contractsltask orders\nand will research each reported inaccuracy. Once all procurement-related actions\nhave been researched and verified, AlLMlAQM will provide OIG with an action\nplan to resolve any discrepancies.\n\n\n\n\n                                UNCLASSIFIED\n\n\n\n\n                                         11 \n\n\n                                UNCLASSIFIED\n\x0cFRAUD, WASTE, ABUSE, OR MISMANAGEMENT\n              of Federal programs\n\n         and resources hurts everyone. \n\n\n        Call the Office of Inspector General \n\n                     HOTLINE \n\n                    202-647-3320 \n\n                 or 1-800-409-9926 \n\n          or e-mail oighotline@state.gov \n\n       to report illegal or wasteful activities.\n\n               You may also write to\n            Office of Inspector General\n             U.S. Department of State\n               Post Office Box 9778\n               Arlington, VA 22219\n            Please visit our Web site at:\n                http://oig.state.gov\n\n         Cables to the Inspector General\n        should be slugged \xe2\x80\x9cOIG Channel\xe2\x80\x9d\n            to ensure confidentiality.\n\x0c"